I'm having some trouble. My boss keeps telling me to be 'more Agile.' what does that even mean? And how can I make an immediate turn toward Agility? ~Walter Fall
HI Walter,
We hear it all the time: "Be more agile!" But what does that really mean, and how can we actually start implementing it today?
Well, you're in luck, I've got three practical steps you can take right now to embrace agility.
On Airplanes and Agile
Involve Your Customer More Closely
The foundation of any successful agile project is a deeply involved customer. By integrating your customer as a product owner who can speak for the project, you're setting yourself up for success. If your customer isn't part of the team and doesn't have a voice in the project, it's like building a house without blueprints or feedback—you may end up with something you didn't expect.
Empower Teams to Define Their Processes
Agile isn't about sticking rigidly to one process; it's about evolution and improvement through retrospectives. Allow your teams the autonomy to define and refine their processes throughout the project. As they learn and adapt, so too will the processes, resulting in a more efficient and responsive way of working.
Clearly Define Roles and Accountabilities
Nothing steers a project off course quicker than uncertainty about roles and responsibilities. By clearly defining these at the outset, you give your team members the authority and responsibility to make decisions. This empowerment reduces the need for senior management intervention and streamlines the decision-making process, leading to a more agile project.
Implement these three steps, and you'll start feeling more agile right away.
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
Visit www.broadswordsolutions.com for more information about running a successful CMMI program. Visit CMMI-TV to see some cool videos about CMMI, Agile, and more.
What happens when a customer requests that we become CMMI level three, or even level five? It's often hard to see the differences, right?
Signed,
Confused About the Difference.
Hi Confused!
Actually, the distinctions between the Capability Maturity Model Integration (CMMI) levels are quite meaningful. Each level represents a progression of capabilities through the adoption of organized best practices within the organization's processes.
Let’s break it down:
Level 1: Initial
This is the foundational stage where the focus is purely on getting the work done. Organizations operating at this level may do a good job but aren’t necessarily focused on strategic processes or continuous improvement.
Level 2: Managed
At this stage, projects begin to organize around more structured process frameworks. There’s an emphasis on ensuring that project activities are being properly managed and measured, signaling the beginning of continuous improvement efforts.
Level 3: Defined
Organizations at this level are taking a broader view, applying established processes across projects. There's a consistent use of enterprise metrics and regular adoption of continuous improvement techniques to enhance performance.
Level 4: Quantitatively Managed
Here, the use of statistical models comes into play, underpinning performance improvements through data and metrics. This level reflects a sophistication in process management, where decisions are informed by hard data.
Level 5: Optimizing
The pinnacle of CMMI maturity, where statistical process models are applied across all facets of the organization. This ensures continuous improvement processes are deeply embedded, leveraging data for overall organizational benefit.
From Level 1 to Level 5, it’s an evolutionary journey for organizations to mature their processes, aiming to maximize efficiency and effectiveness by utilizing data and structured practices.
Like this blog? Forward to your nearest engineering or software exec! Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
What is CMMI?
Visit www.broadswordsolutions.com for more information about running a successful CMMI program. Visit CMMI-TV to see some cool videos about CMMI, Agile, and More.
How CMMI V3.0 Could Help You Conquer CMMC V2.0 (Without Losing Your Sanity)
* Disclaimer: Jeff Dalton is a board member at CyberAB, and is precluded from delivering CMMC-related services for a period of 2 years after his term has ended. Broadsword neither sells nor markets CMMC services.
Struggling to maintain all of your government CERTS?
Okay, folks. Imagine this: You’ve just heard that the Cybersecurity Maturity Model Certification (CMMC) V2.0 is the latest must-have accessory for any defense contractor or supplier who wants to stay in the game. You might be thinking, “How do I make this work with all the other processes and certifications I already have?” Enter CMMI V3.0—the superhero of process improvement, here to help you survive this new world of cybersecurity compliance, without turning into a stressed-out puddle of nerves.
Here’s how CMMI could help you implement CMMC V2.0 like a pro—without the crying and hair-pulling.
1. Aligning Business and Cybersecurity: Because Who Wants to Juggle Two Different Worlds?
CMMI V3.0: This guy is all about linking process improvements to business outcomes like customer satisfaction, productivity, and those mythical things we call "efficiency."
CMMC V2.0: This one’s a bit more intense. Based on NIST 800-171, It’s got your back when it comes to safeguarding Controlled Unclassified Information (CUI). No one's stealing your secrets, buddy.
How CMMI V3.0 Can Help: Wouldn't it be nice if you didn’t have to choose between your business goals and cybersecurity? CMMI V3.0 can help you connect the dots between the two. It’s like setting up a dating profile for your business and cybersecurity goals. “Looking for mutual understanding, growth, and lots of collaboration.” CMMC's cybersecurity goals would seamlessly integrate into your broader strategy without breaking a sweat. Romantic, right?
2. Scalable Maturity Models: Because We All Want to Get Better, but Not Overnight
CMMI V3.0: Offers five levels of maturity, from “meh” to “wow, look at you go!” It’s a process of gradual improvement, one awkward baby step at a time.
CMMC V2.0: Same deal, but three levels—everything from “basic hygiene” (no, not THAT hygiene) to “advanced security practices” (aka your cybersecurity is so tight even James Bond would be impressed).
How CMMI V3.0 Can Help: CMMI V3.0 would let these two frameworks walk hand-in-hand, like an ideal couple. As your organization matures in CMMI, you can simultaneously level up your CMMC compliance. It’s like getting a gym buddy who shows up every day. Together, you’ll get stronger, more secure, and less likely to collapse in a heap.
3. Integrated Governance: For When Your Company Needs a Little “Tough Love”
CMMI V3.0: Governance is all about creating clear, documented processes and making sure everyone is following the rules. It’s like having a really strict librarian who checks over your shoulder to make sure you’re reading the right book.
CMMC V2.0: Requires you to establish strict governance over your cybersecurity efforts too. No, this doesn’t mean you get to be the "cybersecurity sheriff" at the office (but imagine the badge!).
How CMMI V3.0 Can Help: Imagine having the ultimate “cybersecurity watchdog” at your disposal. With CMMI V3.0, you get shiny new tools—like real-time dashboards and audit trails—that help keep track of all your compliance activities without breaking a sweat. No more scrambling through piles of paper or scrolling through endless email chains trying to prove you’ve got your act together.
4. Process Improvement for Cybersecurity: Because Even Cybersecurity Needs a Tune-Up
CMMI V3.0: This model is about making things work better. Think: better risk management, incident management, and configuration management. It’s like fixing up an old car—just with more spreadsheets.
CMMC V2.0: It’s the fancy new sports car that needs to be carefully maintained with precise cybersecurity practices. If something’s off, you’ll know it!
How CMMI V3.0 Can Help: You don’t need to treat CMMC like some separate thing. CMMI V3.0 would help you integrate cybersecurity directly into your everyday process improvement. It’s like having a mechanic who can not only fix the engine but also make sure it’s well-oiled for maximum performance. Incident management? Risk assessment? Check and check. You’ve got it all covered!
5. Documentation and Evidence: Because You Can’t Just Say You Did It (Spoiler: You Have to Prove It)
CMMI 3.0: We all know that good documentation is key—plans, procedures, metrics. Without it, you’re just a business without a paper trail. And that’s basically like being a superhero without a cape.
CMMC V2.0: You gotta document everything. Every incident response. Every access log. Every cybersecurity procedure, like you're preparing for a NASA mission.
How CMMI V3.0 Can Help: Imagine if CMMI V3.0 made documentation as easy as taking a selfie. (Okay, maybe not that easy, but close.) By helping you integrate cybersecurity documentation with your regular process improvement docs, CMMI V3.0 would make it a breeze to collect and organize the evidence you need for CMMC audits. No more scrambling at the last minute. You’ll look like the most organized person in the room. You're welcome!
6. Employee Training and Awareness: Because You Can’t Just Tell People, You Gotta Show Them
CMMI V3.0: Employee training is crucial. It’s like teaching your team the secret sauce of success—processes that everyone needs to follow to improve the company.
CMMC V2.0: If you think employee training for CMMI is tough, try training them in cybersecurity. We’re talking about protecting CUI, not the company coffee machine.
How CMMI V3.0 Can Help: Instead of making training feel like a boring lecture on a Friday afternoon, CMMI V3.0 could offer training modules that help employees learn about cybersecurity while also mastering process improvement. It’s a win-win—your team gets smarter about both CMMI and CMMC without the pain of attending yet another workshop.
7. Real-Time Monitoring and Feedback: So You Don’t Have to Guess How You’re Doing
CMMI V2.0: Gives you feedback in real-time, so you’re not left in the dark wondering how your process improvements are progressing.
CMMC V2.0: Requires you to constantly monitor cybersecurity efforts. Yes, it’s a lot of work, but think of it like a fitness tracker for your organization.
How CMMI V3.0 Can Help: With CMMI V3.0, you can track both your process maturity and your cybersecurity compliance in real time. It’s like having a GPS for your business—except it doesn't just tell you where you’re going, it tells you how fast you’re going, how much fuel you have left, and if you’ve passed the last exit for “Cybersecurity Best Practices.”
8. Integrating Cybersecurity and Risk Management: Because Cybersecurity Isn't Just a "Side Job" Anymore
CMMI V2.0 Risk Management: Think of CMMI as the thoughtful planner who sits down and evaluates risks from every angle—so nothing surprises you later.
CMMC V2.0 Risk Management: Requires a similar, but more intense, focus on cybersecurity risks—except now you have to be prepared for potential hackers and cyber threats that could derail your entire operation.
How CMMI V3.0 Can Help: With CMMI V3.0, you can bring your cybersecurity risk management into the broader enterprise-wide risk management framework. It’s like upgrading from a bicycle to a rocket ship. You’ll handle cybersecurity risks AND general business risks with the grace of a ballet dancer on roller skates.
Conclusion: CMMI V3.0—Your Ultimate Sidekick for Conquering CMMC V2.0
While CMMI V2.0 has already done wonders for organizations looking to implement CMMC V2.0, the potential of CMMI V3.0 could make the whole process feel less like a battle and more like a well-choreographed dance. With improved tools, real-time monitoring, and integrated frameworks, CMMI V3.0 can help you embrace CMMC compliance with open arms. And, let’s face it, in today’s world of cybersecurity, that’s about as close to superhero status as you’ll get.
So, strap in, folks. The future of CMMC V2.0 and CMMI V3.0 is looking brighter—and much less stressful—than ever before.
Fun to watch? Absolutely. Championship-level play? Not quite.
Meanwhile, there’s always one kid who hangs back—playing defense, watching the field, covering the goal. Not chasing glory, just playing their role. That kid isn’t flashy, but they’re going places. Why? Because they’re playing the game, not just the moment.
Sound Familiar?
At recent CMMI events, there’s been growing concern that CMMI appraisals are too expensive. Attendees talk about thousands of hours spent preparing, assembling documents, and scrambling to “get ready.” The cost, some argue, far exceeds the benefit.
If that’s really true—yes, we should be concerned.
But it raises an important question: Are these organizations truly operating at the level they’re trying to appraise? Or are they just playing a high-stakes version of bunchball?
Visualizing the Problem
Anyone who knows me knows I love whiteboards. I’m a visual thinker, and I often sketch out problems to get clarity. One of my favorite drawings is a (very rough) cliff scene with two sets of stick figures:
One group is clawing their way up the cliff, fingernails barely holding on, shouting: “Whooo hoooo! We MADE Level Three!”
The other group is already on top of the cliff, lifting barbells, stretching, and quietly saying: “We ARE Level Three.”
Now tell me—which appraisal was “too expensive”?
It’s Cheaper to Be Great
Here’s the reality: appraisals only feel expensive when organizations aren’t truly performing at the level they’re aiming for.
If your team is spending months digging up “evidence,” assembling PIIDs, and creating artifacts from scratch just to meet the requirements—you’re not appraisal-ready. Not yet.
That doesn’t mean you’re not doing great work. It just means you haven’t built a systemic approach yet. You’re still chasing the ball around the field.
The Championship Analogy
Let’s imagine a school principal tells a youth soccer coach:
“You must win the league championship before the end of fiscal year 2014.”
The coach might:
Hire consultants to teach a few winning techniques from last year
Bring in “ringers” to fill key roles like goalie
Assign consultants to shadow players and correct every mistake
Lobby the league for friendly referees
Sure, they might win a few games. But when the season ends, they’re still just a bunchball team.
Now imagine a wiser coach replies:
“We’re not ready to win the championship yet, but we can have a winning season.”
And then that coach:
Trains and practices regularly
Teaches kids to play their positions and work as a unit
Brings in experts to build skills, not just win trophies
Puts players in roles suited to their strengths
Gets honest, unbiased feedback from referees
That’s how real champions are built. And it’s the same with organizations pursuing CMMI maturity.
Appraisals Aren’t the Problem—Readiness Is
CMMI is a global benchmark of excellence. If we want appraisals to mean something, they should be challenging. But they don’t have to be expensive.
If an organization is already operating at Maturity Level 2 or 3, proving it shouldn’t be painful. The cost of the appraisal is reasonable, because the behaviors are already present.
If you’re not quite there yet? Trying to appear ready can cost a fortune—and might still fall short.
“But What About All the Paperwork?”
Good question. Someone at a recent conference asked:
“Don’t document inventories take a huge amount of time?”
They can—but they shouldn’t.
In a well-run ML2 or ML3 organization, work products are well-managed. Strong Configuration and Data Management practices mean artifacts are easy to locate and demonstrate. There’s no need to compile huge inventories from scratch—because the data already exists in good order.
That means fewer headaches. Lower prep time. Lower cost.
The Bottom Line
CMMI appraisals are only expensive when you’re faking it. Not because the model is broken, but because the team isn’t ready.
It’s cheaper to be great than it is to fake it.
Focus on building capability. Develop your team. Play your positions. When you're truly performing at a high level, appraisals become proof—not a burden.
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
What does it mean when one of your customers asks you to become CMMI Level 3, or maybe even
Level 5? What are the differences between these levels?
Thanks for your help! ~Leval Uhp
Great Questions Leval!
Each of these levels has a specific meaning in the world of CMMI (Capability Maturity Model Integration).
The CMMI model includes anywhere between 19 and 21 practice areas, depending on the domain you
choose.
Whether you're at Level 1 or Level 5, all of these practice areas are included. The key difference lies in
which practices within each area are adopted and implemented ("practice groups") CMMI is a
comprehensive framework of best practices organized by Practice Area.
When we conduct an appraisal, we examine these Practice Areas, and the appropriate Practices within them
that correspond to Practice Group l - 5.
Let's break down each level:
**Level 1: Initial**
At Level 1, the focus is primarily on just getting the work done. There's little emphasis on continuous
improvement or organizational strategy. I instead, the aim is to accomplish tasks effectively, even though
practices may not be formalized.
**Level 2: Managed**
By the time an organization reaches Level 2, processes are more structured. Projects start to organize
themselves from a process standpoint by measuring performance and ensuring process adherence,
paving the way for continuous improvement within the CMMI framework.
**Level 3: Defined**
Level 3 takes a broader enterprise approach. Organizations at this stage implement processes and metrics
that apply enterprise-wide to ensure consistency and continuity across various projects. The regular
adoption of continuous improvement techniques becomes a priority for overall company performance
enhancement.
**Level 4: Quantitatively Managed**
Here, the focus shifts to using data-driven approaches to getting work done. Organizations develop
statistical process performance models to leverage data and statistics to drive performance improvements.
**Level 5: Optimizing**
At the pinnacle, Level 5, organizations apply quantitative Process Performance Models ("PPMs") across
selected processes within the product ora service lifecycle.
.
This level exemplifies a mature use of data and enterprise processes to enhance capabilities and processes
comprehensively.
So, the transition from Level 1 to Level 5 is an evolutionary journey. Starting at Level 1, organizations are
in the early stages of their continues improvement journey; by Level 5 they are fully mature, leveraging
data, enterprise metrics, and processes to their fullest potential.
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
At Broadsword, we’ve been cooking up CMMI training for over 20 years — that’s like two decades of making process improvement a tasty dish!
Our secret sauce? Three succulent goals that’ll keep your learning journey juicy and fun.
First up: we want you to see CMMI not as a boring checklist (yawn), but as a magical recipe for transforming your company’s culture and behaviors — kind of like turning your office into a productivity smoothie.
Next, we’ll arm you with enough CMMI know-how to impress even the toughest process nerds, so you can whip up processes that fit the model like a glove — or at least like a really comfy sock. Lastly, we’ll boost your confidence so high that when it’s time for your maturity level assessment (Level 2, 3, 4, or 5 — take your pick!), you’ll be strutting in like a CMMI Rockstar, ready to ace that appraisal without breaking a sweat.
So why not join us and unlock the secret powers of CMMI? Your company’s transformation adventure awaits!
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
I'm really afraid of failing my company's appraisal. We've been working so hard on it! What are some things to avoid if we're looking to pass our appraisal? ~Ima Frade
Dear Ima,
Helping you out of your predicament here is Darian Poinsetta, the president and CEO of Broadsword Solutions and a certified lead appraiser. He's giving me a little break for blog writing today. With years of experience helping companies align with CMMI maturity levels, Darian has witnessed firsthand the pitfalls that can take down even the most well-meaning organizations.
The Three Pitfalls to Avoid
1. Misaligned Processes:
A common way organizations set themselves up for failure is by having processes that aren’t aligned with the company's goals. It’s crucial to remember: if your processes aren’t driving your company toward its objectives, they’re essentially useless. Each process should serve the broader purpose of advancing your company’s mission. This is why understanding CMMI Process Areas is essential to aligning your processes correctly.
2. Lack of Senior Leadership Engagement:
Without the active engagement of senior leadership, an appraisal is doomed to struggle. Leaders provide the resources, funding, and training necessary to implement and sustain processes. Their support is vital for any organization aspiring to pass an appraisal, and without it, the path forward becomes significantly more challenging. Senior leadership involvement is integral, and our CMMI Leadership Trainingcan help guide your team through the process.
3. Insufficient Time for Process Adoption:
Lastly, organizations often falter by not allowing their teams enough time to adapt to and utilize new processes. Rushed implementations can result in confusion and inefficiencies. It’s essential to give employees ample time to integrate processes into their daily routines, understand how they work, and identify improvements over time. Process Adoption is a long-term commitment, and understanding its importance can make all the difference.
By steering clear of these pitfalls, organizations can greatly enhance their chances of success and ensure their processes meaningfully contribute to achieving company goals.
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.
Bridging CMMI Requirements Development with Agile Practices: Making “Stuff” Happen
Do Agile Teams even use Process?
Many Agile teams studying the Requirements Development and Management (RDM) practices in CMMI ask the same question: “How is any of this agile?”
It’s true—the model doesn’t prescribe specific techniques, and the language can feel dated or overly formal to Agile teams deep in their day-to-day work. But that doesn't mean it’s not compatible. In fact, with the right translation, the CMMI can significantly strengthen how your team approaches requirements—without abandoning Agile values.
When Process Language Gets in the Way
To borrow a line from Gloria Estefan: "The words get in the way."
CMMI’s terminology—think “product and product component requirements”—might work in a classroom or a textbook, but on an Agile team board? Not so much. In practice, I drop the jargon and meet teams where they are.
Instead of rigid terms, I talk about stuff:
The stuff customers say they want (even though it will change).
The stuff we build to try to satisfy them (which also changes).
The stuff we validate, to make sure it's useful—and fundable.
The challenge is aligning that “stuff” with CMMI RDM practices in a way that feels natural, not forced.
A Three-Tiered Requirements Architecture for Agile Teams
To help Agile teams ground their requirements in real, actionable practices, I often recommend a three-tiered architecture plus a cascading “definition of done” that supports clarity, traceability, and better delivery.
Let’s break it down:
Tier 1: The Product Backlog
The backlog captures customer needs in priority order. In CMMI-speak, this aligns with eliciting and developing customer requirements.
Here’s where estimation often comes into play—especially when customers ask questions like “We’re not sure what we want, but how much will it cost?”
For this, Agile teams can use:
Wideband Delphi: A collaborative, experience-based estimation method similar to Agile practices, but focused on effort, not story points.
It's a great middle ground for government or large corporate customers still struggling with the concept of relative sizing.
Tier 2: Epics
Epics represent high-level, user-focused narratives—each potentially encompassing multiple user stories.
While often dismissed as just “big stories,” epics are critical for validation. They help teams and stakeholders clarify scenarios before diving into detailed development. They also uncover defects and assumptions early.
Estimation at this tier shifts toward relative sizing, using tools like:
The Fibonacci Game or the Team Estimation Game (still collaborative, but faster and more intuitive than formal effort estimates)
Tier 3: User Stories
User stories are the most familiar Agile artifact: focused narratives with clear tasks, completed within a sprint.
CMMI's RMN is especially useful here—it can help uncover hidden or missed requirements that aren't typically found in the backlog.
By the time a story reaches this tier, it’s been validated and refined from initial need → epic → story → task. This clarity makes Planning Poker a natural fit for estimation.
Cascading “Definition of Done”: Validating at Every Level
To bring it all together, I recommend teams define a set of tier-specific validation questions. These help ensure that each requirement, whether a backlog item, epic, or story, meets a minimum threshold of clarity and feasibility.
Some examples:
Is there a clear narrative for the Epic or User Story?
Is the source reliable and validated?
Can all stakeholders understand the request?
Are test cases defined?
Does functionality meet funding and performance requirements?
Have we done this before? Do we have the data?
Is there significant risk we need to manage?
This creates a “gate” at each level of granularity—backlog, epic, story—helping teams spot ambiguity or risk beforedevelopment begins.
Bonus Tip: Use a “Confidence Matrix”
Teams can also implement a lightweight Confidence Matrix:
Mark each validation question as strong or weak.
Tally up a Confidence Score per story.
Use it as a multiplier or input for risk-based estimation.
Over time, teams can even experiment with weighted scoring for more precision.
CMMI Isn’t Anti-Agile—It Makes Agile Better
These are just a few ways to apply CMMI Requirements Development in an Agile context. When teams use CMMI not as a constraint but as a lens for improvement, it helps them level up—starting from the stuff they’re already doing.
So don’t think of RDM as old-school bureaucracy. Think of it as a toolkit to help you:
Clarify what you’re building.
Estimate with more confidence.
Deliver high-quality stories that matter.
Get your requirements architecture in place first—and then go deeper into CMMI. There’s plenty more gold to mine.
Onward!
Like this blog? Forward to your nearest engineering or software exec!
Jeff Dalton is a Certified Lead Appraiser, Certified CMMI Instructor, author, and consultant with years of real-world experience with the CMMI in all types of organizations. Jeff has taught thousands of students in CMMI trainings and has received an aggregate satisfaction score of 4.97 out of 5 from his students.